SMB Volume encryption

[Lennix]

I've noticed you've integrated csi-driver-smb to connect to storage-boxes. I got this setup running for a couple months now for (very) cheap storage and it works pretty good. The connection gets dropped some times and you have to re-spawn the pod to reconnect, but overall its fine.

I also noticed that you worked out encryption for longhorn and hetzner-csi and I was wondering if the same could be achieved for the smb driver?

Since the smb traffic is unencrypted, this sounds like a very interesting use case to me.

[mysticaltech]

@aleksasiriski You are probably more familiar with that use case!

[aleksasiriski]

I haven't experienced any drops in connection with my settings which I will share as soon as I get to my PC.

I'll look into implementing encryption at REST.

[aleksasiriski]

Here are my settings for Storage Box CIFS/SMB:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: storage-box
  namespace: default
  annotations:
    pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
spec:
  capacity:
    storage: 5Ti
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: smb
  mountOptions:
    - dir_mode=0777
    - file_mode=0777
    - uid=568
    - gid=568
    - vers=3.0
    - noperm
    - mfsymlinks
    - cache=strict
    - noserverino
  csi:
    driver: smb.csi.k8s.io
    readOnly: false
    volumeHandle: uXXXXXX.your-storagebox.de/backup##
    volumeAttributes:
      source: "//uXXXXXX.your-storagebox.de/backup"
    nodeStageSecretRef:
      name: storage-box-credentials
      namespace: default
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: storage-box
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Ti
  volumeName: storage-box
  storageClassName: smb

[aleksasiriski]

This reddit post suggests that we need to use CryFS (which is still not stable), GocryptFS or securefs (still not at 1.0).

Having said that, since GocryptFS is the only really stable and tested one, also written in Go which makes it easier to use as a csi driver, I'll look into implementing that. But be warned, Hetzner Storage Boxes are HDDs that can be quite slow since they're all shared between users, adding encryption on top could result in abnormally slow transfer speeds. Maybe a dedicated box with large storage would better suit some users (especially with NFS instead of SMB)

[gefloh]

What is silly in general is that these storage boxes don't have fixed IPs or subnets which means you have to open the outgoing firewall for port 445/TCP basically to the world which is not really nice.

[mysticaltech]

Ok good to hear, it's @aleksasiriski who worked on that feature, so he might know more!

[aleksasiriski]

I myself use the option to allow all outbound traffic, so 445 included, but yes: Hetzner Storage Boxes are accessed via domain name, but there's an option for Storage Boxes to only allow traffic from the Hetzner Network so there might be a possibility if Hetzner tells us how they do that (which IP ranges they use?) so that we could use that for the outbound traffic on port 445.

[gefloh]

Yeah, basically I asked them if they can provide ranges or subnets or anything, but they didn't seem to want that.

[mysticaltech]

@gefloh You could fetch the A record every 5 minutes and update the firewall via the Hetzner API if the IP changed.

[gefloh]

Interesting idea @mysticaltech , that would work. Will think about that. ;-)